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- We present a novel method for the synthesis of finite state systems that is a generahsation 

. of the generalised reactivity(l) synthesis approach by Piterman et al. (2006). In particu- 

\ lar, we describe an efficient method to synthesize systems from linear-time temporal logic 

' specifications of the form 

o : 
Q: 

CN ' for which each of the assumptions aj and guarantees gi has a Rabin index of one. We 

■ show how to build a parity game with at most five colours that captures all solutions to 

I— I, the synthesis problem from such a specification. This parity game has a structure that is 

' amenable to symbolic implementations. We furthermore show that the results obtained are 

in some sense tight, i.e., that there does not exist a similar synthesis method for assumptions 
, and specifications of higher Rabin index, provided that P ^ NP. 

^ ■ 1 Introduction 

^ : 

00 . 

\Q Synthesis of finite state systems (Kupferman and Vardi, 1999) has been proven to be a valuable concept 

^""^ \ for the development of open systems that are correct by construction. In contrast to verification, it 

' frees the designer of a computation system from the task to actually build the system in addition to 
stating its specification. Therefore, this technique can significantly reduce the time for developing a 
correct system, making it attractive in practice. 



■ The first works in this area were concerned with closed synthesis, where everything that can be be 
^ I reasoned about is under the control of the system to be synthesized. More recent works are concerned 
^ \ with open synthesis. Here, there exists some input to the system which is not under its control. 
■ - - ' This model is more suitable for synthesis of reactive systems, as almost all such systems of practical 
relevance have some uncontrollable input. In this context, linear-time temporal logic (LTL, see, e.g., 
Vardi, 1996) is the predominant specification language used. 

One drawback of synthesis is that its time complexity for LTL specifications is doubly-exponential in 
the length of the specification (Pnueli and Rosner, 1989), making the problem intractable in general. 
One of the reasons for this high complexity is the fact that it is possible to formulate specifications 
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been simplified and some changes in style of writing have been performed. 
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for which the smallest implementation satisfying it is of size doubly-exponential in the length of 
the specification. More recently, it has been argued that such high size bounds rarely occur for 
specifications used in practice (Jobstmann and Bloem, 2006; Schewe and Finkbeiner, 2007), so this 
does not necessarily affect the efficiency of synthesis for practical applications. 

Apart from approaches for synthesis from arbitrary LTL formulas, there also exist specialised proce- 
dures for specifications of certain forms. In particular, it has been observed that many specifications 
found in practice are of the form ifj ^ (f) for some conjunctions of safety and basic liveness properties il) 
and (f). We call V' the assumption part of such a specification and ^ the guarantee part. A basic liveness 
property is a conjunct that can be represented by the LTL formula GFp for some atomic proposition p. 
Piterman et al. (2006) were able to show that the synthesis problem for such generalised reactivity (1) 
formulas can be solved in time cubic in the state space of the design. Subsequent works (Bloem et al., 
2007b, a) showed that indeed this approach can be used successfully in practice. 

Recently, it has been observed (Sohail et al., 2008) that the low complexity of the synthesis problem 
for generalised reactivity(l) specifications is not surprising as the problem can be reduced to solving a 
parity game with precisely 3 colours. Furthermore, the state space of this parity game is (almost) the 
product state space of the deterministic Biichi automata representing the individual conjuncts of the 
assumption and guarantee parts, making this approach amenable to the symbolic solution of the game, 
for example using the algorithm by McNaughton/Zielonka (see Gradel et al., 2002 or Schewe, 2008 for 
comprehensive descriptions) with binary decision diagrams (see, e.g., Baier and Katoen, 2008). 

As the set of properties representable by generalised reactivity(l) formulas is still relatively limited (for 
example, it cannot be specified that the system to be constructed should have some finite initialisation 
period after which it must output "ready" forever), a natural question to ask is if this approach can 
be extended in order to include more representable properties without losing the possibility to encode 
the overall specification of the system as a parity automaton with a constant number of colours. More 
precisely, we ask the question what type the assumption and guarantee conjuncts may be of such 
that wc can build a deterministic parity automaton of size polynomial in the product of the automata 
representing the individual assumptions and guarantees and its induced parity game is won if and only 
if the overall specification is realisable and the number of colours is constant (and independent of the 
number of assumption and specification conjuncts). 

In this paper, we present an answer to this question. In fact, the constant number of colours can be 
retained if the assumption and guarantee conjuncts have a Rabin index of 1, leading to five colours in 
total. We call this approach generalised Rahin(l) synthesis. This result is strict, i.e., for every Rabin 
index > 2, a constant number of colours does not suffice (for only a polynomial blow-up in the state 
space of the automaton), unless P = NP. The added expressivity is shown to be of value for practical 
cases, making this approach a practically suitable trade-off between the approaches allowing full LTL 
for the specification and the faster frameworks. 

We start by giving the basic definitions in Section 2. Then, we discuss how to convert the individual 
conjuncts in the specification to Rabin automata with a Rabin index of 1. Section 4 discusses how 
a parity game that captures the synthesis problem for such specifications can be built. Section 5 
then discusses the possibility for similar approaches to specifications with conjuncts of higher Rabin 
index and contains the corresponding negative result. Section 6 sketches an application domain that 
benefits from the extended applicability of generalised Rabin(l) synthesis in comparison to generalised 
reactivity(l) synthesis. Section 7 finally concludes and gives an outlook. 
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2 Preliminaries 



Words, Languages and natural numbers Let S be a finite set. By we denote tlie set of ail 

finite/infinite sequences, respectiveiy. Sucli sequences are aiso calied words over S. Sets of words are 
also called languages. For the scope of this paper, we denote the set of natural numbers including 
by Nq. For simplicity, if is excluded, we simply write N. 

For some sequence w = wqWi . . ., we denote by the suffix of w starting with the jth. symbol, i.e., 
= WjWj+i . . . for all j G Nq. 

Mealy automata Reactive systems arc usually described using a finite state machine description. 
Formally, we define Mealy automata as five-tuples M = (S, S/, Eo, 5, sq) where S is some finite set of 
states, S/ and So are input/output alphabets, respectively, sq G S is the initial state and S : S xHi 
S X So is the transition function of Ai. The computation steps of a Mealy automaton are called 
cycles. 

For the scope of this paper, we usually set S/ = 2^^^ and So = 2^^° for some sets of input/output 
atomic propositions APj and APq- This is a typical choice in literature on synthesis and verifica- 
tion (Kupferman and Vardi, 1999, 1997; Vardi, 1996; Schewe and Finkbeiner, 2007; Bloem et al., 2009; 
Filiot et al., 2009) as specification logics such as LTL are usually used to describe behaviour of the sys- 
tem with respect to the individual atomic propositions and Mealy automata implemented in hardware 
usually have such an input/output structure (in which the individual atomic propositions represent 
the values of the input / output signals of the system) . 

The language induced by Mealy automata Given a Mealy automaton M = (5, S/, So, <5, sq) and 
some input word i = i^ii . . . E T,f, M. induces a run tt = ttotti . . . and some output word a = oqOi . . . 
over i such that ttq = sq and for all j G Nq: 5{'!Tj,ij) = (7rj+i,Oj). Formally, we define the language 
of M, written as C{M), to be the set of words w = wqWi . . . £ S'^ with S = 2^^^^^^° such 
that ^A induces a run vr over the input word i = w\^j = {wo n S/)(-u;i n S/) . . . such that w|so = 
{wq n T,o){wi n So) ... is the output word corresponding to tt. 

Linear-time temporal logic Before a system that is correct with respect to its specification can be 

synthesized, the specification has to be formally stated. For such a task, linear-time temporal logic 
(LTL) is a commonly used logic. Syntactically, LTL formulas are defined inductively as follows (over 

some set of atomic propositions AP): 

• For all atomic propositions x € AP, x is an LTL formula. 

• Let (pi and (f)2 be LTL formulas. Then -i^i, (^i V ^2), (^^'i A ^2)5 ^fpi, Ffpi, G(pi, and (^i?7^2) 
are also valid LTL formula. 

The validity of an LTL formula (p over AP is defined inductively with respect to an infinite trace 
w = wqWi ... € (2^^)'^. Let (pi and (p2 be LTL formulas. We set: 

• w \= p if and only if (iff) p £ wq for p G AP 

• w \= -^ip iff not w \= ip 

• w \= {(pi V (P2) iS w \= (pi 01 w \= (p2 

• u; t= {(pi A (P2) iff w t= ^1 and w \= (p2 

• w \= X(pi iff \= (1)1 
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• w \= G4)i iff for all i G Nq, w'^ \= 

• w \= F(f)i iff there exists some z G No such that u;' |= 



• w \= {(f)iU(t)2) iff there exists some i G No such that for all ^ < j <i, \= <pi and \= ^2 

We use the usual precedence rules for LTL formulas in order to be able to omit unnecessary braces and 
also allow the abbreviations typically used for Boolean logic, e.g., that a ^ 6 is equivalent to -la V 6 
for all formulas a, b. 

As an example, consider the specification (j) = G{request — > grant) over AP = {request , grant} . Intu- 
itively, such a specification would be satisfied by all runs of a Mealy automaton = (5, S/, So, (5, sq) 
with E/ = 2{"=«''«^*> and So = 2^3™'^*} if all requests given to M. are answered by a grant immediately. 
In other papers (e.g., Filiot et al., 2009; Jobstmann and Bloem, 2006), in which the order of input and 
output is inverted, the specification would have to be changed to (j) = G{request — t- X grant) in order 
to be semantically equivalent to our model here. We however prefer our model as it typically shortens 
the LTL formulas to be considered in the synthesis procedure. 

Labelled parity games A labelled parity game is a tuple Q = {Vo,Vi,T,o,T,i, Eo,Ei,vo,c) with Eq : 
Vb X So — >■ Vi and : Fi x Si ^ Vb- We abbreviate V = Vq^Vi. We only consider finite games here, 
for which Vq, Vi, Sq and Si are finite. The initial vertex vq is always a member of Vq. The colouring 
function c : Vq ^ Nq assigns to each vertex in Vq a colour. For the scope of this paper, we only assign 

colours to vertices of player 0. 

A decision sequence in ^ is a sequence p = PqPqPipI ■ ■ • such that for all i G No, p^ G Sq and pj G Si. 
A decision sequence p induces an infinite play tt = TrQTroTrivrj . . . if ttq = vq and for alH G No, p G {0,1}, 



Given a play vr = TTQirQiTiTrl . . . , we say that tt is winning for player if max{c{v) \ v G Vo,v G 
inf(7rQ7rJ . . .)} is even for the function inf mapping a sequence onto the set of elements that appear 
infinitely often in the sequence. If a play is not winning for player 0, it is winning for player 1. 

Given some parity game Q = {Vo,Vi,T,q,'Ei, Eq, Ei,vq, T), a strategy for player is a function / : 
(Sq X Si)* — )■ Sq. Likewise, a strategy for player 1 is a function / : (Sq x Si)* x Sq ^ Si. In both cases, 
a strategy maps prefix decision sequences to an action to be chosen next. A decision sequence p = 
pQpoPiPi ... is said to be in correspondence with / if for every i G No, we have = /{pqPq ■ ■ ■ p^^p_i). 
A strategy is winning for player p if all plays in the game that are induced by some decision sequence 
that is in correspondence to / are winning for player p. It is a well-known fact that for parity games, 
there exists a winning strategy for precisely one of the players (see, e.g., Gradel et al., 2002). We call 
a state v eVq winning for player p if changing the initial state to v makes or leaves the game winning 
for player p. Likewise, a state v' G Vi is called winning for player p if a modified version of the game, 
that results from introducing a new initial state with only one transition to v' is (still) winning for 
player p. 

If a strategy / for player p is a positional strategy, then /{PqpI ■ ■ ■ Pn) = /'(£'i-p(. . . Ei{Eq{vo, Pq) , Pq) , 
■ ■ ■ ,P„+p_i)) for some function f ■ Vp ^ Sp. By abuse of notation, we call both /' and / positional 
strategies. Note that such a function /' is finitely representable as both domain and co-domain are 
finite. For parity games, it is known then there exists a winning positional strategy for a player if and 
only if there exists some winning strategy for the same player. 

Note that a translation between this model and an alternative model where the colouring function is 
defined for both players is easily possible with only a slight alteration of the game structure. 
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w-automata An w-automaton A = {Q,'E,qo,6,T) is a five-tuple consisting some finite state set Q, 
some finite alpliabet S, some initial state qq G Q, some transition function S : Q x T, ^ 2^ and some 
acceptance component T (to be defined later) . We say that an automaton is deterministic if for every 
q and a; G S, |(5(g,x)| < 1. Given an w-automaton A = {Q,'S,qo,d,T), we also call {Q,'E,qQ,d) 
the transition structure of A. 

Given an infinite word w = wiW2 . . . G S'^ and an w-automaton A = {Q, S, qo, S, T), we say that some 
sequence vr = ttovti ... is a run for w if ttq = go and for all i G {1, 2, . . .}, vTj G 5{-Ki^i,Wi). We say that 
TT is accepting if for inf(7r) = {q & Q \ 3°° j G N : VTj = g}, inf(7r) is accepted by T. The acceptance of 
TT by is defined with respect to the type of T, for which many have been proposed in the literature 
(Gradel et al., 2002). 

• For a safety winning condition, all infinite runs are accepting. In this case, the J^-symbol can 
also be omitted from the automaton definition. 

• For a Biichi acceptance condition T ^ Q, tt is accepting if inf(7r) DT Here, T is also called 
the set of accepting states. 

• For a co-Buchi acceptance condition T Q Q, tt is accepting if inf(7r) H = 0. Here, T is also 
called the set of rejecting states. 

• For a generalised Biichi acceptance condition ^ C 2*^, tt is accepting if for all F G T, inf(7r)nF 7^ 
0. 

• For a parity acceptance condition, T : Q ^ Nq and tt is accepting in the case that max{J^(v) | 
V G inf(7r)} is even. 

• For a Rabin acceptance condition C 2*^ x 2*^ , vr is accepting if for J-" = {{Fi,Gi), . . . , {Fn,Gn)}, 
there exists some 1 < i < n such that inf(7r) C Fi and inf(7r) H 7^ 0. 

• For a Streett acceptance con dition J" C 2*3 X 2^3, TT is accepting if for J" = {(Fi, Gi), . . . , G„)} 

and for all 1 < z < n, wc have inf (vr) ^ Fi or inf (vr) n Gj = 0. 

• For a Muller acceptance condition , ir is accepting if inf(7r) G J^. 

The language of A is defined as the set of words for which there exists a run that is accepting with re- 
spect to the type of the acceptance condition. We also call automata with a t-type acceptance condition 
t-automata (for t G {safety, Biichi, co-Biichi, generalised Biichi, parity, Rabin, Streett, Muller}). For 
Rabin automata, \T\ is also called the Rabin index of the automaton. For the scope of this paper and 
without loss of generality, we assume that all deterministic non-safety automata have no dead-ends, 
i.e., for all g G Q and x G S, we have |(5(g, x)| = 1. 

The Rabin hierarchy It has been proven that the set of languages representable by the following 
automaton types is the same (see, e.g., Gradel et al., 2002) 

• deterministic Muller, non-deterministic Muller 

• deterministic Streett, non-deterministic Streett 

• deterministic Rabin, non-deterministic Rabin 

• deterministic parity, non-deterministic parity 

• non-deterministic Biichi 
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This set is called the w-regular languages. 

Given an alphabet S and some cj-regular language L C S'^, there exists some number n such that 
some deterministic Rabin automaton with n acceptance pairs accepts L and there does not exist a 
deterministic Rabin automaton with less than n acceptance pairs that accepts precisely L. We call 
this number n the Rabin index of L. It has been proven that the so-called Rabin hierarchy is strict, 
i.e., for every Rabin index value n G N, there exists some language with a Rabin index of n (Kaminski, 
1985). 

In this paper, we pay special attention to languages with a Rabin index of 1. These strictly contain 
the set of languages representable by safety and deterministic Biichi or co-Biichi automata. 

Parity automata and parity games Given a deterministic parity automaton A = {Q, S, qo, 5, F) with 
it is well-known that A can be converted to a parity game Q such that Q admits a 
winning strategy for player 1 (the so-called system player) if and only if there exists a Mealy automaton 
M. reading S/ = 2"^^' and outputting So = 2^^° such that the language induced by is a subset 
of the language of A (see, e.g., Thomas, 2008). Furthermore, from a winning positional strategy in Q, 
such a Mealy automaton M. can easily be extracted. 

3 Obtaining deterministic automata from parts of the specification 

Many specifications found in practice are of the form 

(ai A a2 A . . . A a„J ^ (51 A 52 A ... A 3„J (1) 

for some set of assumptions ai,...,a„^ and guarantees gi,...,gng (see, e.g., Piterman et al., 2006; 
Bloem et al., 2007a, b; Konighofer et al., 2009). Such a specification is typical for a case in which a 
single component of a bigger system is to be synthesized as some assumptions about the environment 
(i.e., the behaviour of the other components) can be given and the part to be synthesized in turn has 
to satisfy some guarantees. 

Piterman et al. (2006) presented the generalised reactivity(l) synthesis approach for performing syn- 
thesis for specifications of the form stated in Formula 1. Although not explicitly stated (see, e.g., 
Konighofer et al., 2009), the approach can be used whenever all assumptions and guarantees are rep- 
resentable and given as deterministic Biichi automata. The question of how to obtain these automata 
from guarantees and assumptions given in some logic like LTL has been left open. 

In this section, we address this problem for both the generalised reactivity(l) and the generalised 
Rabin(l) synthesis approaches, of which the latter will be introduced in the following section. We 
carefully treat the two cases and point out similarities and differences in the process of obtaining 
deterministic automata for the two approaches. 

In the following, we abbreviate the terms "generalised reactivity(l)" by GR(1) and "generalised Ra- 
bin(l)" by GRabin(l). 

3.1 The classical construction 

The classical way of obtaining a deterministic automaton A from an LTL formula ijj is to perform the 
following steps: 

• Convert ip to an equivalent non-deterministic Biichi automaton A' (Entry points to the literature 
are Vardi, 1996 and Gastin and Oddoux, 2001). 
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• Convert to a deterministic Rabin or parity automaton using (something similar to) Safra's 
construction (Henzinger and Piterman, 2006; Safra, 1989). 

As a result, we obtain automata with possibly high Rabin indices. For generalised reactivity(l) syn- 
thesis, we need to convert them to deterministic Biichi automata afterwards. For generalised Rabin(l) 
synthesis, a conversion to deterministic Rabin automata with a single acceptance pair is necessary. 
Furthermore, whenever this is not possible, the specification has be to discarded for being usable for 
GR(l)/GRabin(l) synthesis, respectively. So in both cases, additional steps have to be performed. 

For the generalised reactivity (1) case, this is simple. As deterministic Rabin automata are Biichi- 
type (Kupferman et al., 2006), they can easily be converted to Biichi automata whenever possible in 
polynomial time (Krishnan et al., 1994). Addutionally, these Biichi automata can then be minimised 
(Ehlers, 2010). 

For the generalised Rabin case, we can apply some algorithm for obtaining a Rabin automaton with 
the same language but a minimal Rabin index. Krishnan et al. (1995) describe a suitable algorithm 
running in time polynomial in the source automaton size. 

3.2 Using a general LTL synthesis procedure 

An alternative method for obtaining deterministic Biichi or one-pair Rabin automata equivalent to a 
given LTL formula ijj has been given by Kupferman and Vardi (2005). 

Let ijj range over a set of variables I. The problem of obtaining an equivalent deterministic Biichi 
automaton can be solved by reduction to the finite-state system synthesis problem of the specification 
(j) = ip ■H' (GFout) with the input variable set / and the output variable set {out}. Any finite-state 
machine satisfying the specification can be converted to a suitable Biichi automaton by duplicating all 
states, making one copy of each state accepting, and routing the transitions to the respective accepting 
states if and only if out is set to true. 

Equivalently, obtaining a one-pair Rabin automaton from a specification ip over some variable set / 

can be reduced to finite-state system synthesis with the specification ^ = ^ •<-)■ (FGouti A GFout2), 
the input variable set /, and the output variable set {outi, out2}. 

For performing the synthesis step in practice, any of the known algorithms can be used (see, e.g., 
Kupferman and Vardi, 1999, 2005; Schewe and Finkbeiner, 2007; Henzinger and Piterman, 2006; Vardi, 
1996). 

4 Performing generalised Rabin(l) synthesis by reduction to parity 
games 

In this section, we present the core construction of the generalised Rabin(l) synthesis approach, i.e., 
how we transform a specification of the form 

V' = (ai A 02 A . . . A a„J (51 A 52 A . . . A gn^) 

for some set of assumptions ai , . . . , and some set of guarantees gi, . . . , gng given in form of deter- 
ministic one-pair Rabin automata to a deterministic parity automaton with at most 5 colours that 
accepts precisely the words that satisfy V'- The number of states of the generated automaton is poly- 
nomial in the product of the state numbers of the individual Rabin automata ai, . . . ,0^^,51, • • • igug- 
The generated parity automaton can then be transformed into a parity game (taking into account the 
partitioning of the atomic propositions into input and output bits) that is winning for player 1 if and 
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only if there exists a Mealy automaton over the given sets of inputs and outputs such that all of its 
runs satisfy the specification. 

Note that by the definition of Rabin acceptance, a word is accepted by a deterministic one-pair Rabin 
automaton A = {Q,T,,qo,d,{{F,G)}) if and only if it is accepted by the co-Biichi automaton Ac = 
{Q,T,,q(),S,Q \ F) and the Biichi automaton Ab = {Q,^,Qo,^,G). Therefore, we can decompose a 
specification of the form stated above into four sets of automata: 

• A set ^ = {Ai, . . . ,Ani} containing the automata of the assumption conjuncts with Biichi 
acceptance condition 

• A set B = {Bi, . . . ,Bnr^} containing the automata of the assumption conjuncts with co-Biichi 
acceptance condition 

• A set C = {Ci, . . . , Cng} containing the automata of the guarantee conjuncts with Biichi accep- 
tance condition 

• A set D = {Di, . . . ,Dn^} containing the automata of the guarantee conjuncts with co-Biichi 

acceptance condition 

For improved readability of the following description of the algorithm, by abuse of notation, we intro- 
duce 6, Q, qo, S, and J-" as functions mapping automata onto their components. For example, given 
some automaton A = {Q, S, 5, T), we have S{A) = S. 

We furthermore assume that for all a, a' G A l±l S l±l C W I?, S(o) = S(a'), i.e., all automata share the 
same alphabet. 

We construct the parity automaton A' = {Q',Tl',S',qQ,T') as follows: 

• S' is chosen such that for all a G A W 5 1+) C bJ D: S' = S(a) 

• Q' = Q(Ai) X ... X X {0,1,..., ni} x {0,1,..., ng} x B 

. For all q = (g^ • • • , g^, g^) G Q' and a; G S, we define 6'iq,x) = ((?'/,..., g^^, g'^, 
q'^, q'^) such that: 

- For all 1 < i < nr. 5{Ai){qf,x) = 

- For all 1 < i < n2: 5{Bi){qf,x) = qf 

- For all 1 < i < n^: 5{Ci){qf ,x) = qf 

- For alll < z < m: 5{Di){qf ,x) = qf 

- q'W = (^qW + 1) + 1) if g/A ^ jr(^^^) q^ = 0, otherwise q'^ = q^ . 

- q'^ = {q^ + 1) mod (ns + 1) if q'^ G J^{CqR) or q^ = 0, otherwise q'^ = q^. 

- q'^ = true if and only if (at least) one the following two conditions hold: 

* Qw = 

* for all 1 < z < n4, q'/^ ^ J^{Di) and q^ = true 

• For all q = {q^, . . . ,qn^,q^ ,q^,q^) G Q', we have that T' maps q to the least value in c G 
(0, 1,2,3,4} such that: 

- c = 4 if for some 1 < z < n2: G J^{Bi) 

- c > 3 if = true and for some \ <i < n4, qf G F{Di) 

- c > 2 if g^ = 0. 
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- c > 1 if g*^ = 

• q'o = (90(^1), ■ ■ ■ , qo{Dni), 0, 0, false) 

4.1 Explanation of the construction 

In this sub-section, we discuss the construction of the automaton A' = {Q' , 5' , q'q, F') as described 
above and give a correctness proof. 

The states q = (g^^, • • • , 5^4, Q'^, g^, g^) € Q' in the automaton have some components q^,...,q^^ 
that basically represent the automata of AkBB^C^D running in parallel. The remaining part 

of the state tuples corresponds to some additional control strucf,ure for checking if the specification 
(oi A 02 A ... A ana) ^ (<?! A 52 A . . . A Qng) is satisfied. Note that adding the control structure only 
results in a polynomial blow-up. The parts of the control structure have the following purposes: 

• The counter q^ keeps track of the Biichi assumption for which an accepting state is to be visited 
next. The construction of this part of the parity game is essentially the same as for de-generalising 
generalised Biichi automata (see, e.g., Thomas, 1994, Lemma 1.2). 

• The counter q^ does the same for the guarantees. 

• The bit q^ tracks if recently accepting states for all automata in A have been visited. 

These counters and bits suffice for assigning colours to the states in A! such that the highest number 
occurring infinitely often along a run is even if and only if the corresponding word satisfies (oi A 02 A 
... A a„„ ) —5^ (51 A 52 A ... A ) ■ Understanding the idea behind the construction is most simple by 
considering the five reasons for rejecting/accepting a word individually: 

1. A word should be accepted by A! if it is not accepted by some automaton b E B (violation of a 
co-Biichi assumption). 

2. A word should be accepted by A' if it is not accepted by some automaton a G A (violation of a 
Biichi assumption). 

3. If the assumptions are satisfied, a word should be rejected if it is not accepted by some automaton 
d € D (violation of a co-Biichi guarantee) 

4. If the assumptions are satisfied, a word should be rejected if it is not accepted by some automaton 
c G C (violation of a Biichi guarantee) 

5. In the remaining cases (i.e., all the assumptions and guarantees are satisfied), a word should be 
accepted. 

It is clear from the definition of the specification that an automaton satisfying these constraints is 
suitable for the synthesis task. The automaton A' fulfils these criteria, as the following lines of thought 
show: 

1. Assume that some automaton b e B does not accept the input/output word. In this case, 
rejecting states of b are visited infinitely often, resulting in the colour 4 occurring infinitely often 
along the run. As this is the highest possible colour, the word is accepted. 

2. Assume that some automaton a A does not accept the input /output word. Without loss of 
generality, we can assume that all automata in B accept the word, as otherwise the previous 
item already covers this case. So, colour 4 is not visited infinitely often. 

Since some automaton a e A does not accept the input/output word, the counter q^ stalls at 
some point as it cycles through all automata of A, waiting for visits to their respective accepting 
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states. Consequently, the value of (j' can only be set from false to true finitely often. As every 
occurrence of colour 3 resets to false after has stalled and requires to be equal to true 
beforehand, states with colour 3 can only be visited finitely often. 

Finally, colour 1 cannot be visited infinitely often as the counter eventually stalls. 

Thus, only the colours 2 or can be visited infinitely often, leading to acceptance of the word. 

3. Assume that the assumptions are satisfied, but some co-Biichi-automaton d E D o{ the guarantee 
part of the specification does not accept the input word. 

In this CctS6, ctS the Blichi assumptions are fulfilled, q^ is set to infinitely often and thus q^ will 
be equal to true infinitely often. As for some c G C, its rejecting state is visited infinitely often, 
and q^ stays equal to true until a state with colour 3 has been visited, this implies that colour 

3 occurs infinitely often. As colour 4 does not occur infinitely often (the co-Biichi assumptions 
are fulfilled), the input /output word is rejected. 

4. Assume that the assumptions are satisfied, but some Biichi-automaton c G C of the guarantee 
part of the specification does not accept the input word. 

In this case, at some point during the run, the q^-part of the states occurring stalls at a number 
7^ 0, i.e., the counter will not be increased or reset any longer, leading to only finitely many visits 
to colour 2. Since the co-Biichi assumptions and guarantees are satisfied, states with the colour 

4 are only visited finitely often (see above). We can also assume that the co-Biichi guarantees 
are fulfilled as otherwise the previous item covers this case, so states with colour 3 are visited 
only finitely often. 

Thus, as the Biichi assumptions hold, the counter q^ is reset infinitely often and colour 1 is the 
highest one occurring infinitely often, the word is rejected. 

5. Assume that all guarantees and assumptions are satisfied. In this case, from some point onwards, 
colour 3 and 4 are never visited (as the co-Biichi assumptions and guarantees are fulfilled). The 
counter q^ is however reset to infinitely often (as the Biichi guarantees are fulfilled), which 
leads to infinitely many occurrences of colour 2, resulting in acceptance. 

By taking these facts together, we obtain the following result: 

Theorem 1. The parity automaton given above accepts precisely the words w E. T,^ that satisfy the 
overall specification, i.e., either there exists some automaton m A l±l S that rejects w or all automata 
in C \±l D accept w. 

5 On extending the approach to generalised Rabin(A;)-specifications with 

k > 1 

The construction given in the previous section does only work for specifications with assumptions and 
guarantees having Rabin indices of one. A natural question to ask is: Does a similar construction also 
exist for guarantees and assumptions whose Rabin indices are greater than one? 

In this section, we show that this is not the case. In particular, we prove the following theorem: 

Theorem 2. For all k > 1 and c € N, the following holds: In polynomial time, it is not possible 
to compute a control structure of size polynomial in Ua + Ug for reducing the synthesis problem for 
specifications of the form 

(ai A 02 A ... A a„J ^ (51 A 52 A ... A gn,) 
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with all assumptions ai, a2, • • • , and guarantees gi, §2, ■ ■ ■ , gug given as Rabin automata of index 
at most k to the non-emptiness problem of a parity automaton with c colours such that its transition 
structure is the parallel composition of the transition structures of the Rabin automata and the control 
structure (unless P=NP). 

Thus, the approach presented in this paper is in some sense as far as we can get without losing its 
good properties. These are: 

• the fact that the transition structure of A' is the parallel composition of the transition structures 
of the automata for the individual assumptions and guarantees and some control structure - this 
allows the efficient representation of the transition function in a symbolic way (e.g., by using 
binary decision diagrams, see, e.g., Drechsler and Sieling, 2001); 

• the constant numbers of colours. 

In the remainder of this section, we show why Theorem 2 holds. For this, we use a theorem proven by 
Chattcrjcc ct al. (2007). Let (®, k, [n]) represent the set of generalised parity games with an acceptance 
condition type (8) G {V, A} and a number /c G N of colouring functions, with each colouring function 
having a co-domain of {0, ... , n}. Likewise, [n]_|_ represents colouring functions having a co-domain of 
{1, . . . , n}. A play in a generalised parity game with (8) = V/(8) = Ais accepting for player zero if for 
any/all of the colouring functions, the highest colour occurring infinitely often is even, respectively. 

Theorem 3 (Chatterjee et al., 2007, pp. 159). Given a game graph Q, for objectives ^ in (V, fc, [3]+) 
and $ in (A, k, [2]), and a vertex v in Q: 

• checking whether v is a vertex winning for player 1 for is NP-hard; 

• checking whether v is a vertex winning for player for $ is co-NP-hard. 

We are now ready to prove Theorem 2. 

Proof. Assume that Theorem 2 does not hold and that we have a specification of the form 51 A ... A gng 
such that all Rabin automata iov gi, . . . , gn^ have the same transition structure. Since we assume that 
the parity automaton is the parallel composition of the transition structures of (71 , ... , gn^ and some 
polynomial control structure, we obtain some parity automaton with a size polynomial in Ug and the 
number of states in the automaton of gi with a constant number of colours. Emptiness of such an 
automaton can consequently be decided in time polynomial in the size of the automaton of gi. 

This is however a contradiction to Theorem 3. To see this, note that Rabin automata with index 1 
are essentially parity automata with a parity function with co-domain {1,2,3}. Likewise, a Streett 
automaton with a single acceptance pair is essentially a parity automaton with a parity function with 
co-domain {0, 1, 2}. All such Streett automata have a Rabin index of at most 2. Assume that we have 
Hg Streett automata with single acceptance pairs given as specification. If they all share the same 
transition function, we only have to consider it once in the combined parity game. This essentially 
leads to a game of size polynomial in Ug and the size of the transition structure of the Streett automata. 
Since solving this game can be done in polynomial time and the result is always a correct answer to 
the problem posed in Theorem 3, this would imply co-NP=P as well as NP=P. □ 

So, provided that NP^^P, the only way to have a similar construction with a constant number of colours 
would be to have an approach that does not allow the technical trick to join equivalent transition 
structures of the individual automata, which would be a strong indicator for unsuitability for symbolic 
implementations, essentially ruling out its usage for synthesis. 
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6 On application domains for the techniques described here 



From a theoretical perspective, generalised Rabin(l) synthesis is a strict generalisation of generalised 
reactivity(l) synthesis and extends its scope by allowing co-Biichi assumptions and guarantees. 

From a practical perspective, the question if the added expressivity in comparison to the approach 
by Piterman et al. (2006) is of practical value is natural to ask. Indeed, the benefit of the added 
possibility to work with co-Biichi guarantees and assumptions is not obvious. To shed light on this 
issue, we mention two possible application areas here: 

• During the initialisation phase of a larger system implemented in hardware, the status of the 
system can be partly unspecified. In such a case, some components of such a system can deviate 
from their regular behaviour. Co-Biichi assumptions can be used to model the fact that at some 
point in time, such an initialisation phase is over. Additionally, co-Biichi guarantees can be used 
to allow deviations in the behaviour of a component of a larger system to be synthesized for a 
limited period of time (i.e., during the component's own initialisation phase). 

• Bloem et al. (2009) discussed the benefit of adding robustness criteria to the synthesis process. 
In this setting, a process to be synthesized is expected to degrade gracefully on the violation 
of the assumptions used during synthesis. For example, consider a two-process mutex that is 
required to grant all requests in the same computation cycle. Formally, such a system has inputs 
APj = {ri,r2} and outputs APq = {gi,g2}- Consider the specification G(-iri V-ir2) — >■ G{ri 

gi Ar2 ^ (72)- It only constrains the behaviour of the system if the two processes never request 
a grant at the same time. In case of a violation of this constraint, however, no restriction on 
the behaviour of the mutex is made. Bloem et al. (2009) argue that in practice, most systems 
are somewhat robust against such assumption violations. For example, the component to be 
synthesized could continue to respond to requests in the correct way after a violation of the 
assumption, i.e., whenever only one request is given at the same time, the respective grant is 
given. 

For the qualitative version of robust synthesis, co-Biichi specifications are a natural way to 
express such degradable parts of the assumption or guarantee. For example, a finite-state system 
satisfying FG{^ri V -ir2) FG{ri — > ffi A r2 — >■ 52) A G{^gi A -152) can only violate the 
responsiveness guarantee infinitely often if the assumption -iri V -ir2 is violated infinitely often. 
Since it only has a finite number of states, it is thus forced to return to normal behaviour after 
a limited amount of time after some computation cycle in which -iri V -ir2 is violated, which 
makes it a valid solution. 

Bloem et al. (2009) presented algorithmic sohitions for the robust synthesis problem for safety 
specifications. They leave an extension of their techniques to the liveness case as an open problem. 
As with generalised Rabin(l) synthesis, we are able to handle such specifications, the technique 
presented here is a suitable solution to this open problem. 

7 Conclusion 

In this paper, we have presented generalised Rabin(l) synthesis as a strict generalisation of generalised 
reactivity(l) synthesis and showed that it shares its good algorithmic properties. This increases the 
practical applicability of the approach and is thus a big step forwards towards synthesis from large 
specifications. We also showed that the concept cannot be extended further without losing its good 
algorithmic properties. 
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